CVE-2017-14101 in Conserus Image Repository Archive Solution
Summary
by MITRE
A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/15/2019
The CVE-2017-14101 vulnerability represents a critical XML External Entity processing flaw within the Conserus Image Repository archive solution version 2.1.1.105 developed by McKesson Medical Imaging Company, which later became part of Change Healthcare. This vulnerability exists in the SOAP-based web service interface that processes image repository requests, creating an attack surface where malicious actors can exploit improper XML parsing mechanisms. The flaw specifically manifests in the application's handling of external entity references within XML documents, allowing attackers to manipulate the parsing process through crafted SOAP requests. The vulnerability's classification aligns with CWE-611, which identifies improper restriction of XML external entity references as a fundamental weakness in web application security architecture.
The technical exploitation of this XXE vulnerability occurs when an unauthenticated attacker submits a modified HTTP SOAP request containing malicious XML content that references external entities. The application's XML parser processes these entities without proper validation, enabling the attacker to perform arbitrary file reads from the local file system where the application operates. This access extends beyond simple file enumeration to potentially expose sensitive application configuration files, database connection details, and other critical system resources. Additionally, the vulnerability permits the extraction of hashed credentials from the application's service accounts, which can be transmitted to remote attacker-controlled servers through the same XML processing mechanism. This dual impact of local file access and credential extraction creates a comprehensive attack vector that can compromise both system integrity and authentication mechanisms.
The operational impact of CVE-2017-14101 extends beyond immediate data theft to encompass potential system compromise and regulatory violations within healthcare environments. Healthcare organizations utilizing this imaging repository solution face significant risks including unauthorized access to patient medical records, exposure of protected health information, and potential disruption of critical medical imaging workflows. The vulnerability's unauthenticated nature means that any external attacker can exploit it without requiring legitimate credentials, making it particularly dangerous in network environments where such systems may be exposed to the internet. The extracted hashed credentials could facilitate further attacks through credential reuse or password spraying techniques, potentially leading to privilege escalation within the healthcare network. This vulnerability directly impacts the security posture of medical imaging systems and could violate healthcare compliance requirements such as HIPAA regulations.
Mitigation strategies for CVE-2017-14101 should focus on implementing robust XML parser configurations that disable external entity processing and DTD (Document Type Definition) resolution. Organizations should deploy input validation mechanisms that sanitize all XML content received through SOAP interfaces, particularly within healthcare environments where such systems handle sensitive data. Network segmentation and access controls should be implemented to limit exposure of the vulnerable service to untrusted networks. The application should be updated to a patched version that properly handles XML parsing without allowing external entity references. Security monitoring should include detection of suspicious SOAP request patterns and unusual file access attempts. According to ATT&CK framework technique T1213, this vulnerability could be leveraged for data exploitation through the extraction of stored credentials and files, making it a significant concern for healthcare security teams. Regular security assessments and vulnerability scanning should be conducted to identify similar XXE vulnerabilities in other applications within the healthcare ecosystem.